1

I am facing the reality of using mysqli vs. mysql. I have the following function that sanitize data

This is how the code was using mysql

  function sanitize($data){
      return htmlentities(strip_tags(mysql_real_escape_string($data)));
  }

Error message when using mysql

   Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in...

after reading php manual reference on https://www.php.net/mysqli_real_escape_string and made the changes below...

  function sanitize($data){
      return htmlentities(strip_tags(mysqli_real_escape_string($data, '0')));
  }

...I receive the following Error message after using mysqli

  Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in....

This is now preventing me from logging in. Any help is greatly appreciated!

Improve this question
4
  • You read mysqli $link , string $escapestr in the manual and change your code to $data, '0'? There're many examples if you can't understand the syntax of the manual. Commented Jan 27, 2014 at 10:24
  • yes! I have been learning php for 2 months now...I know it may seem not wise at all!!! my apologies, I wish I can grasp this stuff much quicker and faster. It is not that easy sometime, especially when I am following a tutorial. the hands on is a great way to learn but it will require some time to get the hang of the logic behind what is being developed. As I said my apologies... Commented Jan 27, 2014 at 10:27
  • 1
    BTW, your function is called sanitize() but a more proper name would be mangle() or corrupt(). If you read that in a tutorial I suggest you find another reference text—that code doesn't make any sense. Commented Jan 27, 2014 at 10:29
  • Alvaro, thank you for your comment, i intend to learn more about php and hopefully the proper way. at the beginning, it is easier to work with something, but I agree with you! Thanks again! Commented Jan 27, 2014 at 10:32

2 Answers 2

Reset to default
4

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli is pretty self explanatory...

You need to provide your mysqli instance as the first parameter, and your string as the second parameter.

E.g.

mysqli_real_escape_string($mysqli_conn, $data)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

so I take it, establishing a connection through a init.php file is not suffice..mysqli requires to pass the connection as a parameter. thanks Ryan!!
Unless you use the Scope Resolution Operator (see php.net/manual/en/language.oop5.paamayim-nekudotayim.php) mysqli::real_escape_string($data) where the link is already set the instance you're referencing.
1

From the manual:

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

Why do you need database connection to escape a string?!

The string escape function needs to know which encoding your database connection uses to properly escape the strings. So you have to pass the connection to the function.

The function mysqli_real_escape_string($mysqli, $str) has something like this in it:

$encoding = $mysqli->getConnectionEncoding();

This is why you have to pass the connection.

This modern software design pattern (pass something that is needed inside a class through the constructor or as a function's param) is called dependency injection (short DI pattern).

A yet better way would be to use the OOP style:

$con           = new mysqli();
$escapedString = $con->real_escape_string($string);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.